Does a JAR need to be signed to be JNLP launched?

[Qu0ll]

I am trying to get my first JNLP-launched applet (and that's something that
runs *inside* the browser) but I get the following exception:

Exception: com.sun.deploy.net.JARSigningException: Found unsigned entry in
resource: http://localhost:8080/test/TestApplet.jar

Which leads me to ask, does a JAR need to be signed to be launched via JNLP?

I am using Java 6 Update 16, GlassFish 2.1 and Firefox 3.5.2 on Windows
Vista.

--
And loving it,

-Qu0ll (Rare, not extinct)
_________________________________________________
(e-mail address removed)
[Replace the "SixFour" with numbers to email me]

 

[Qu0ll]

I am trying to get my first JNLP-launched applet (and that's something
that runs *inside* the browser) but I get the following exception:

Exception: com.sun.deploy.net.JARSigningException: Found unsigned entry in
resource: http://localhost:8080/test/TestApplet.jar

Which leads me to ask, does a JAR need to be signed to be launched via
JNLP?

I am using Java 6 Update 16, GlassFish 2.1 and Firefox 3.5.2 on Windows
Vista.

Never mind, the answer is no.

--
And loving it,

-Qu0ll (Rare, not extinct)
_________________________________________________
(e-mail address removed)
[Replace the "SixFour" with numbers to email me]

 

[John B. Matthews]

I am trying to get my first JNLP-launched applet (and that's something that
runs *inside* the browser) but I get the following exception:

Exception: com.sun.deploy.net.JARSigningException: Found unsigned entry in
resource: http://localhost:8080/test/TestApplet.jar

Which leads me to ask, does a JAR need to be signed to be launched via JNLP?

I am using Java 6 Update 16, GlassFish 2.1 and Firefox 3.5.2 on Windows
Vista.

I don't the JAR has to be signed [1], but entries have to be signed with
the same certificate [2]. What's your <security> setting?

[1]<http://java.sun.com/docs/books/tutorial/deployment/webstart/
security.html>
[2]<http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/
faq.html#213>

 

[Roedy Green]

I am trying to get my first JNLP-launched applet (and that's something that
runs *inside* the browser) but I get the following exception:

In theory you can write unsigned Java Web Start apps, but there are so
many restrictions on them, in practice you probably never will. For
example, you can't examine any user properties. See the limitations
of the sandbox at http://mindprod.com/jgloss/javawebstart.html#SANDBOX


--
Roedy Green Canadian Mind Products
http://mindprod.com

"You can have quality software, or you can have pointer arithmetic; but you cannot have both at the same time."
~ Bertrand Meyer (born: 1950 age: 59) 1989, creator of design by contract and the Eiffel language.

 

[Qu0ll]

I am trying to get my first JNLP-launched applet (and that's something
that
runs *inside* the browser) but I get the following exception:

Exception: com.sun.deploy.net.JARSigningException: Found unsigned entry
in
resource: http://localhost:8080/test/TestApplet.jar

Which leads me to ask, does a JAR need to be signed to be launched via
JNLP?

I am using Java 6 Update 16, GlassFish 2.1 and Firefox 3.5.2 on Windows
Vista.

I don't the JAR has to be signed [1], but entries have to be signed with
the same certificate [2]. What's your <security> setting?

[1]<http://java.sun.com/docs/books/tutorial/deployment/webstart/
security.html>
[2]<http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/
faq.html#213>

I was specifying all permissions in the <security> setting and this seems to
have required that my applet's JAR was signed by the same authority as the
signer of the extensions I am using (which is Sun Microsystems). By
removing the <security> element altogether I am able to launch the applet
without using any form of signing.

--
And loving it,

-Qu0ll (Rare, not extinct)
_________________________________________________
(e-mail address removed)
[Replace the "SixFour" with numbers to email me]

 

[Qu0ll]

In theory you can write unsigned Java Web Start apps, but there are so
many restrictions on them, in practice you probably never will. For
example, you can't examine any user properties. See the limitations
of the sandbox at http://mindprod.com/jgloss/javawebstart.html#SANDBOX

This is an applet not an application and I can live within the security
restrictions of the sandbox. Using JNLP to launch the applet enables me to
utilise extensions which include native libraries without signing my applet
and provides access to all the JNLP-enabled functionality like
DownloadService and PersistenceService etc.

--
And loving it,

-Qu0ll (Rare, not extinct)
_________________________________________________
(e-mail address removed)
[Replace the "SixFour" with numbers to email me]

 

[Roedy Green]

Exception: com.sun.deploy.net.JARSigningException: Found unsigned entry in
resource: http://localhost:8080/test/TestApplet.jar

I thought when you said "Applet" you meant "JWS app". Not many people
besides Andrew use Java Web Start to launch true Applets.

Examine the jar with WinZip. If any jar entry is signed, they all must
be. Also all jars must be signed with the same cert, unless you have
multiple JNLP files.

Another thought. Get a stack trace, and see if some other exception
triggered that one.
--
Roedy Green Canadian Mind Products
http://mindprod.com

"You can have quality software, or you can have pointer arithmetic; but you cannot have both at the same time."
~ Bertrand Meyer (born: 1950 age: 59) 1989, creator of design by contract and the Eiffel language.

 

[Roedy Green]

I was specifying all permissions in the <security> setting and this seems to
have required that my applet's JAR was signed by the same authority as the
signer of the extensions I am using (which is Sun Microsystems).

If you think about it, that is obvious. You requested permission to
do damn well anything you pleased, in other words, to work outside any
Applet/Java Web Start sandbox. So, of course you needed signing.

The problem is the

<security>
<all-permissions />
<!-- all-permissions requires the jars be signed -->
</security>

is always present, so it becomes effectively invisible to the
consideration.
--
Roedy Green Canadian Mind Products
http://mindprod.com

"You can have quality software, or you can have pointer arithmetic; but you cannot have both at the same time."
~ Bertrand Meyer (born: 1950 age: 59) 1989, creator of design by contract and the Eiffel language.

 

[John B. Matthews]

What's your <security> setting?

[...]
I was specifying all permissions in the <security> setting and this
seems to have required that my applet's JAR was signed by the same
authority as the signer of the extensions I am using (which is Sun
Microsystems). By removing the <security> element altogether I am
able to launch the applet without using any form of signing.

If your applet can be useful in a sandbox, users can still run it even
if they reject the certificate, as shown in this toy example:

<http://sites.google.com/site/drjohnbmatthews/subway>

There may reasons _not_ to sign it; but even an expired, fake
certificate has the value of minimizing the risk of tampering.